CVE-2026-1764: Out-of-bounds Read in Red Hat Red Hat Enterprise Linux 10
CVE-2026-1764 is a vulnerability in GNOME localsearch's MP3 Extractor component on Red Hat Enterprise Linux 10. It involves a missing bounds check in the extract_performers_tags function when processing crafted MP3 files with ID3v2.4 tags. This flaw can cause a heap buffer overflow leading to a denial of service by reading unmapped memory and may also result in information disclosure of heap data.
AI Analysis
Technical Summary
The vulnerability CVE-2026-1764 affects the GNOME localsearch (tracker-miners) MP3 Extractor on Red Hat Enterprise Linux 10. Specifically, a missing bounds check in the extract_performers_tags function when handling specially crafted MP3 files containing ID3v2.4 tags can cause a heap buffer overflow. This can lead to a denial of service condition by triggering reads of unmapped memory and potentially disclose information by reading visible heap data. The CVSS 3.1 base score is 5.6, indicating a medium severity with local attack vector, low complexity, requiring low privileges and user interaction, impacting confidentiality slightly and availability significantly. There is no vendor advisory content indicating a patch or remediation level, and no known exploits in the wild have been reported as of the publication date.
Potential Impact
An attacker with local access and the ability to trick a user into opening a crafted MP3 file could cause a denial of service by triggering out-of-bounds reads leading to heap buffer overflow. Additionally, there is a potential for limited information disclosure from heap memory. The impact on confidentiality is low, while availability impact is high. Integrity is not affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-1764 for current remediation guidance. No official fix or temporary workaround is indicated in the provided data. Until a patch is available, avoid processing untrusted MP3 files with ID3v2.4 tags using the affected component.
CVE-2026-1764: Out-of-bounds Read in Red Hat Red Hat Enterprise Linux 10
Description
CVE-2026-1764 is a vulnerability in GNOME localsearch's MP3 Extractor component on Red Hat Enterprise Linux 10. It involves a missing bounds check in the extract_performers_tags function when processing crafted MP3 files with ID3v2.4 tags. This flaw can cause a heap buffer overflow leading to a denial of service by reading unmapped memory and may also result in information disclosure of heap data.
CVSS v3.1
Score 5.6medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-1764 affects the GNOME localsearch (tracker-miners) MP3 Extractor on Red Hat Enterprise Linux 10. Specifically, a missing bounds check in the extract_performers_tags function when handling specially crafted MP3 files containing ID3v2.4 tags can cause a heap buffer overflow. This can lead to a denial of service condition by triggering reads of unmapped memory and potentially disclose information by reading visible heap data. The CVSS 3.1 base score is 5.6, indicating a medium severity with local attack vector, low complexity, requiring low privileges and user interaction, impacting confidentiality slightly and availability significantly. There is no vendor advisory content indicating a patch or remediation level, and no known exploits in the wild have been reported as of the publication date.
Potential Impact
An attacker with local access and the ability to trick a user into opening a crafted MP3 file could cause a denial of service by triggering out-of-bounds reads leading to heap buffer overflow. Additionally, there is a potential for limited information disclosure from heap memory. The impact on confidentiality is low, while availability impact is high. Integrity is not affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-1764 for current remediation guidance. No official fix or temporary workaround is indicated in the provided data. Until a patch is available, avoid processing untrusted MP3 files with ID3v2.4 tags using the affected component.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- fedora
- Date Reserved
- 2026-02-02T14:56:26.038Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-1764","vendor":"Red Hat"}]
Threat ID: 6a30ae460b89be68880aeef1
Added to database: 6/16/2026, 2:00:38 AM
Last enriched: 6/16/2026, 2:15:46 AM
Last updated: 6/16/2026, 3:18:12 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.